Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
How can I update the cross-realm trust principal password for an existing Amazon EMR cluster?
I set up cross-realm trust with an Active Directory domain on a Kerberized Amazon EMR cluster. I need to change the principal password.
Resolution
Amazon EMR creates a krbtgt principal using the cross-realm trust principal password that you specify at cluster launch. This principal is stored in the key distribution center (KDC) on the master node. It looks similar to the following: krbtgt/ADTrustRealm@KerberosRealm
To update the cross-realm trust principal password:
-
Open the kadmin.local tool:
sudo kadmin.local -
List all principals to find the principal that you want to update (for example, krbtgt/MYADDOMAIN.COM@MYEMRDOMAIN.COM):
list_principals -
Run the following command to update the password for the cross-realm trust principal. In the following example, replace krbtgt/MYADDOMAIN.COM@MYEMRDOMAIN.COM with your principal.
change_password krbtgt/MYADDOMAIN.COM@MYEMRDOMAIN.COM -
Exit the kadmin.local tool:
exit -
To confirm that the new password works, obtain a Kerberos ticket for an Active Directory user and then list HDFS files. For example:
kinit myaduser@MYADDOMAIN.COM hdfs dfs -ls /tmp
Related information
Tutorial: Configure a cross-realm trust with an Active Directory domain
How can I renew an expired Kerberos ticket that I'm using for Amazon EMR authentication?
- Topics
- Analytics
- Tags
- Amazon EMR
- Language
- English
Relevant content
- asked 4 years ago
- asked 3 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
